Statura.

Back to login

Privacy Policy

Last updated: 8 March 2026

1. Introduction

Statura Care Pty Ltd (ABN pending) ("we", "us", "our") is committed to protecting the privacy of personal information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).

This policy describes how we collect, use, store, and disclose personal information through the Statura platform ("Service").

2. Information We Collect

Account Information

When you create an account, we collect your name, email address, and organisation details. This is necessary to provide the Service.

Organisation Data

Your organisation submits data to the Service including staff records, resident information, clinical care records, compliance documentation, and related data. This data is owned by your organisation and processed solely to provide the Service.

Sensitive Information

The Service may process health information and other sensitive information as defined under the Privacy Act. This information is collected and processed only on behalf of your organisation, which remains the data controller. We act as a data processor.

Usage Data

We collect technical data including IP addresses, browser type, and usage patterns to maintain and improve the Service. This data is aggregated and anonymised where possible.

3. How We Use Information

We use collected information to:

  • Provide, maintain, and improve the Service
  • Communicate with you about your account and the Service
  • Send transactional emails (e.g., password reset, billing)
  • Monitor for security threats and prevent abuse
  • Comply with legal obligations

We do not sell personal information. We do not use your organisation's data for advertising, profiling, or any purpose other than providing the Service.

4. Data Storage and Security

All data is stored in Australia via Supabase (AWS ap-southeast-2 region, Sydney). We implement the following security measures:

  • AES-256-GCM encryption for sensitive fields (IHI, Medicare, TFN, bank details)
  • TLS 1.2+ encryption for all data in transit
  • Row-level security (RLS) ensuring organisation data isolation
  • Audit logging with cryptographic hash chain integrity
  • Multi-factor authentication support (TOTP)
  • Session timeout with configurable inactivity periods
  • Content Security Policy and other HTTP security headers

5. Data Sharing

We share personal information only with:

  • Service providers who assist in operating the Service (e.g., Supabase for database hosting, Stripe for payment processing, Resend for transactional email, Vercel for application hosting, Sentry for error monitoring). These providers are bound by their own privacy policies and data processing agreements.
  • Law enforcement or regulators when required by law or to protect our rights.

6. Data Retention

We retain your data for as long as your account is active. If you delete your organisation, we retain data for 30 days to allow recovery, after which it is permanently deleted. Audit logs may be retained for up to 7 years to comply with regulatory requirements.

7. Your Rights

Under the Privacy Act, you have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate information
  • Request deletion of your account and associated data
  • Lodge a complaint about our handling of personal information

For organisation data (resident records, clinical data), please contact your organisation administrator, who can manage data through the Service.

8. Data Breach Notification

In the event of an eligible data breach under the Notifiable Data Breaches (NDB) scheme, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required by Part IIIC of the Privacy Act.

9. Cookies

The Service uses essential cookies for authentication and session management. We do not use tracking cookies or third-party advertising cookies.

10. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes via email or in-app notice. The "Last updated" date at the top of this page indicates the most recent revision.

11. Contact Us

For privacy enquiries or to exercise your rights, contact us at:

If you are unsatisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner.